CMMC and Small Businesses – Part 1: Logical Access
There are good reasons for private industry companies to do business with the Department of Defense. Contracts typically span several years and are often reliably renewed – in part because landing them in the first place requires companies to jump through a lot of hoops. One of the biggest hoops? CMMC. DoD contractors, subcontractors, and sub-subcontractors are each required to comply with one of the three levels of the Cybersecurity Maturity Model Certification (CMMC standards). As you might expect with government regulations, there’s quite a lot to it.
For many small- to medium-sized businesses (SMBs) and 80% of the defense industrial base, you likely just need to make it to CMMC Level 2: Managed. Achieving CMMC Level 2 compliance can, however, be a pretty major undertaking. There are 14 practice domains to cover with more than 100 controls. So, it’s a lot to take on.
It’s not insurmountable, though. Just an undertaking that requires forethought and a lot of support – which is where we come in! In this blog series, we’re going to unpack the CMMC standards that SMBs tend to struggle with the most. Don’t worry, we’re going to break them down into manageable chunks and avoid getting lost in the acronyms.
In this post, we’ll cover the domains that can loosely be grouped under the heading of logical access.
CMMC Standards for Logical Access – Who Can Get In?
The first two practice domains of the CMMC guidelines are big ones: Access Control and Identification and Authentication. They largely deal with similar requirements, ensuring that only the right people can access sensitive information.
The main aspects of these domains that SMBs need to understand (and often struggle with) are:
- Unique accounts
- No shared accounts
- Password complexity rules
Essentially, the goal of access control is to ensure that only people with the appropriate training and clearance can access Controlled Unclassified Information (CUI). Of course, that’s generally the goal of all CMMC standards, but in this case, it’s specifically about managing who has direct access. One key way is for every user to have an unique account. Then, users can be granted or denied access to the relevant data based on their roles and responsibilities within the organization.
Do you have 30 users in your organization? 50? 100? Everyone needs their own unique account. Without unique accounts, an auditor (or your internal team) can’t track which user accessed which data at what times. In other words, you have to be able to put Mrs. Peacock in the library with the wrench. If the “admin” login is simply passed to whomever has the role at a given time, then you can’t really be sure if it was Mrs. Peacock, Professor Plum or Jerry from maintenance who found their way into the CUI files.
No Shared Accounts
Similarly, if you’re using a shared account, you can’t properly trace who did what. For example, let’s say you have a warehouse machine that manages inventory logistics in a shipping application. If the login is just for the “warehouse,” then if someone ships something or receives something or opens a file that contains CUI… you have no idea who did it.
Let’s be honest, a single login is much easier than making every warehouse employee across three shifts remember their own account information. But it’s also vastly less secure. And it won’t cut it if you want to meet CMMC standards.
This also applies to things like email accounts. Perhaps any email coming from a prime contractor has always been filtered to the same email inbox. Whoever holds the appropriate position at the time has access to that email. But when the person occupying that position moves on, does their access get removed? Is the password updated? All too often, the answer is probably not – which is a problem.
Unique accounts and no shared accounts ensure non-repudiation. What’s that, you wonder? Good question. Non-repudiation is essentially proof that the right information made it from the right person to the right person. Or, it’s proof of who took which actions when. Basically, you have to be able to connect the digital dots between where things come from, where they go and every person involved. And there has to be a “paper” trail. (It can be digital, of course, but you’ve got to have proof).
Password Complexity Rules
Most organizations don’t typically force 12 character, alphanumeric passwords on their users (let alone the preferred 16). Not to mention that those characters, numbers, and special characters must be non-repeating. And they have to be changed on a regular basis, typically 90 days. Want to meet CMMC standards? You need more complex passwords.
Without Active Directory or a domain controller to enforce your password complexity at a policy level, it can quickly get cumbersome. The good news is that with Active Directory, you can easily group policies. The domain controller will then orchestrate and adhere to those requirements. People will get automated reminders to update their passwords. The requirements will show up on the screen. If a person tries to use an 8-character password, the system will very politely inform them that the password does not meet the password complexity requirements set by the policy. Nobody in your IT department has to hassle anyone. It’s all done by the machine.
You Don’t Have to Figure Out CMMC Standards Alone
Again, this is all just part of the first two practice domains that CMMC covers. There are twelve more. (Don’t worry, we’re not going to cover all of them in this blog series). We just wanted to introduce you to some of the high level concepts, a piece at a time, so that it doesn’t seem too daunting.
The truth is – you can get your organization CMMC compliant. It will take time, patience and ideally some third party guidance. But you can get there. And it’s a worthwhile investment. CMMC compliance is the first step in eligibility to compete for the over $7 trillion of defense contracts released annually
Working with a certified RPO will make the process vastly easier, more efficient and ultimately cost-effective. Have questions? Reach out today.